From cc13ba61f48aff3a52ed8938c8f5912bb36a549d Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Sun, 10 Nov 2024 19:52:04 +0100 Subject: [PATCH] refactor(mail): Rewrite config Following this guide: https://wiki.nixos.org/wiki/Stalwart --- secrets/OVHCloud/default.yaml | 5 +- services/stalwart-mail/default.nix | 101 +++++++++++++---------------- 2 files changed, 48 insertions(+), 58 deletions(-) diff --git a/secrets/OVHCloud/default.yaml b/secrets/OVHCloud/default.yaml index 1740d97..6b58df4 100644 --- a/secrets/OVHCloud/default.yaml +++ b/secrets/OVHCloud/default.yaml @@ -55,6 +55,7 @@ penpot: STORAGE_ASSETS_S3_ENDPOINT: ENC[AES256_GCM,data:mZjvBvNZC28jUYrK8e6HHixC4GU=,iv:mppmZn7nV/gckB3+GonwQQT5U14qg1FyEnQ92pGDSZI=,tag:rAePtPdd6o+EDC0MrAToKw==,type:str] STORAGE_ASSETS_S3_BUCKET: ENC[AES256_GCM,data:nfcjtCQVWhdT1UUYPw==,iv:mF2Esw1GvWAjkabvDde63bAq4V5pXNhbhqsK1dkg5sg=,tag:uE6qKxKSJzYtHWxPMiK3Lw==,type:str] stalwart-mail: + ACME_SECRET: ENC[AES256_GCM,data:maC7iAMiwFCYXD15IEqaCVi9TqPAIJ15T/yJWSwo4dW3mdqXmItS4hoS2cI=,iv:fWDase9PM2riakQDUiuCTa+W9W4bf7I39k/WSbX4RjI=,tag:+OixerP8JWAjGeh8U+g32g==,type:str] ADMIN_SECRET: ENC[AES256_GCM,data:4ytiKxJ55Wm9p6M=,iv:dl1BCtxOu4o+2qC6ZlUw8cluoqDjp16/SN9bhGneRHs=,tag:qEgWrYHQJHDjR2PwK9y8UA==,type:str] shadowsocks: password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str] @@ -91,8 +92,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-07T22:25:47Z" - mac: ENC[AES256_GCM,data:6LynPNzengBoVm5fPtxHuUxbvMy7Vaf6Qd/ikUcu8/Af3oPhxeBTwN0aOje+oqAVuYFsNLCsf1GGCkZ+U1mK+Fr777vSsl/+T5iG7hcjTht+Gtq2sK93qiGB6rdYrHzuJ6G3hHR1Xl/OGW7TsYj9+2PJvV/Hr18qElr3VDBDJD0=,iv:EQe5Q4FDn9Di4L76eIw/wU+44iCeTS7lrJlPfZvLOdM=,tag:sEYyV4+jN8yEKPfYgrSemg==,type:str] + lastmodified: "2024-11-10T17:52:12Z" + mac: ENC[AES256_GCM,data:uMHh5OQcsNiOsItwqhb5tovS2ZpCQLjlBmbH83Iu7oWOSaUwqmwWoO1u7LPVmmWbN0JhZldIT84ym9Wg9Tn70Nnd+/B2h+54C86/LLnNlGCUamckMvUSDGwiz2lBLlM9a6C0iprgbBNcYd+5I9Iw62FOs+lB9fmsLg9fqn8W4aU=,iv:7fSoWal+A/EFVKzVJZoKromcTd6McVPHQMmNbDid2m4=,tag:saljEoUMhNHpdGf1bUo3Eg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/services/stalwart-mail/default.nix b/services/stalwart-mail/default.nix index 4397185..4b9a33d 100644 --- a/services/stalwart-mail/default.nix +++ b/services/stalwart-mail/default.nix @@ -2,51 +2,73 @@ domain = "gasdev.fr"; in { sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail"; + sops.secrets."stalwart-mail/ACME_SECRET".owner = "stalwart-mail"; - services.caddy.virtualHosts."${domain}".extraConfig = '' - redir https://www.gasdev.fr - ''; - - services.caddy.virtualHosts."mail.${domain}".extraConfig = '' - reverse_proxy 127.0.0.1:8080 - ''; + services.caddy.virtualHosts."mailadmin.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.01:8080 + ''; + serverAliases = [ + "mta-sts.${domain}" + "autoconfig.${domain}" + "autodiscover.${domain}" + "mail.${domain}" + ]; + }; + networking.firewall.allowedTCPPorts = [25 465 587 993]; services.stalwart-mail = { enable = true; settings = { - lookup.default.hostname = "mail.${domain}"; server = { - tls.certificate = "default"; - http = { - url = "protocol + '://' + key_get('default', 'hostname') + ':' + local_port"; - use-x-forwarded = true; + hostname = "mx1.${domain}"; + tls = { + enable = true; + implicit = true; }; listener = { smtp = { - bind = ["[::]:25"]; protocol = "smtp"; + bind = "[::]:25"; }; submissions = { - bind = ["[::]:465"]; + bind = "[::]:465"; protocol = "smtp"; - tls.implicit = true; }; - imaptls = { - bind = ["[::]:993"]; + imaps = { + bind = "[::]:993"; protocol = "imap"; - tls.implicit = true; + }; + jmap = { + bind = "[::]:8080"; + url = "https://mail.${domain}"; + protocol = "jmap"; }; management = { - bind = "[::]:8080"; + bind = ["127.0.0.1:8080"]; protocol = "http"; }; }; }; - certificate.default = { - default = true; - cert = "%{file:/var/lib/stalwart-mail/cert/${domain}.pem}%"; - private-key = "%{file:/var/lib/stalwart-mail/cert/${domain}.priv.pem}%"; + lookup.default = { + hostname = "mx1.${domain}"; + domain = "${domain}"; }; + acme."letsencrypt" = { + directory = "https://acme-v02.api.letsencrypt.org/directory"; + challenge = "dns-01"; + contact = "postmaster@${domain}"; + domains = ["${domain}" "mx1.${domain}"]; + provider = "cloudflare"; + secret = "%{file:${config.sops.secrets."stalwart-mail/ACME_SECRET".path}}%"; + }; + session.auth = { + mechanisms = "[plain]"; + directory = "'in-memory'"; + }; + session.rcpt.directory = "'in-memory'"; + queue.outbound.next-hop = "'local'"; + directory."imap".lookup.domains = ["${domain}"]; storage = { data = "rocksdb"; fts = "rocksdb"; @@ -85,37 +107,4 @@ in { StateDirectoryMode = "0740"; }; }; - - networking.firewall.allowedTCPPorts = [25 465 993]; - - systemd.timers."stalwart-mail-update-certs" = { - wantedBy = ["timers.target"]; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; - Unit = "stalwart-mail-update-certs.service"; - }; - }; - - systemd.services."stalwart-mail-update-certs" = { - script = '' - set -eu - - CADDY_CERT_DIR="/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}" - STALWART_CERT_DIR="/var/lib/stalwart-mail/cert" - - mkdir -p "''\${CADDY_CERT_DIR}" - mkdir -p "''\${STALWART_CERT_DIR}" - - cat "''\${CADDY_CERT_DIR}/${domain}.crt" > "''\${STALWART_CERT_DIR}/${domain}.pem" - cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem" - - chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}" - chmod -R 0700 "''\${STALWART_CERT_DIR}" - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; }